Web lists-archives.com

Re: [Samba] Samba 4 users - UID/GID - or how to migrate




On Sun, 13 Jan 2019 21:41:39 +0100
Anton Blau via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Am 13.01.2019 um 20:41 schrieb Rowland Penny via samba:
> > On Sun, 13 Jan 2019 20:22:22 +0100
> > Anton Blau via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> Hello,
> >>
> >> I try to migrate my old SAMBA Installation to a new Installation.
> >> SAMBA is running. But my Windows users can see the shares but
> >> cannot open Files.
> >>
> >> My old Installation /etc/samba/smb.con
> >>
> >> ...
> >>
> >>
> >>          workgroup = DUCK
> >>           server string = %h server (Samba, Ubuntu)
> >>           interfaces = eth0 192.168.1.200/255.255.255.0 localhost
> >>           bind interfaces only = Yes
> >>           security = USER
> >>           map to guest = Bad User
> >>           obey pam restrictions = Yes
> >>           pam password change = Yes
> >>           passwd program = /usr/bin/passwd %u
> >>           passwd chat = *Enter\snew\s*\spassword:* %n\n
> >> *Retype\snew\s*\spassword:* %n\n
> >> *password\supdated\ssuccessfully* . unix password sync = Yes
> >>           log file = /var/log/samba/log.%M
> >>           max log size = 1000
> >>           time server = Yes
> >>           unix extensions = No
> >>           printcap name = cups
> >>           logon script = %U\logon.bat
> >>           logon path = \\gustav\profiles\%U\winxpprofile
> >>           logon drive = z:
> >>           logon home = \\gustav\profiles\%U\w9xprofile
> >>           domain logons = Yes
> >>           os level = 255
> >>           preferred master = Yes
> >>           domain master = Yes
> >>           wins proxy = Yes
> >>           wins support = Yes
> >>           usershare allow guests = Yes
> >>
> >> New (Proxmox LXV) with: /etc/samba/smb.con
> >>
> >>        -- snip because false file
> >>
> >> I think the problem is the mappig to the uid/gid of the new samba.
> >>
> >> The user "testuser" on the old System has uid 500 and gid 100. I
> >> created my testuser - who can access on the old Installation on the
> >> new Installation:
> >>
> >> samba-tool user create testuser --unix-home=/home/gerhard
> >> --uid-number=501 --login-shell=/bin/bash --gid-number=100
> >>
> >>
> >> What is to to to get full access?
> >>
> > Well, as you are using samba-tool to create users and your last post
> > was about setting up an AD DC, you could try setting up your Unix
> > domain member correctly and when you do, do not use such low ID
> > numbers. I suggest you read this:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> > Your smb.conf above is for an NT4-style PDC.
> >
> > Rowland
> >
> >
> Sorry,
> 
> I posted the wrong text. This is the /etc/samba/smb.conf (testparm)
> of the new LXC SAMBA Server:
> 
> 
>   realm = SMBDOMAIN.DUCK
>          workgroup = SMBDOMAIN
>          dns forwarder = 192.168.1.254
>          disable spoolss = Yes
>          load printers = No
>          printcap name = /dev/null
>          passdb backend = samba_dsdb
>          server role = active directory domain controller
>          rpc_server:tcpip = no
>          rpc_daemon:spoolssd = embedded
>          rpc_server:spoolss = embedded
>          rpc_server:winreg = embedded
>          rpc_server:ntsvcs = embedded
>          rpc_server:eventlog = embedded
>          rpc_server:srvsvc = embedded
>          rpc_server:svcctl = embedded
>          rpc_server:default = external
>          winbindd:use external pipes = true
>          idmap_ldb:use rfc2307 = yes
>          idmap config * : backend = tdb
>          map archive = No
>          map readonly = no
>          store dos attributes = Yes
>          printing = bsd
>          vfs objects = dfs_samba4 acl_xattr
> 
> In future only the new Samba should run. So Samba is not a Domain 
> Member. I hope I understand you correct.
> 
> NT4-style PDC should be migrated to AD DC.
> 

So, you only have the DC running in container but you do not want to run
another container with a Unix domain member in it. This does not make
sense, why not just run the DC on the computer without all the bother
of the container ?

Where did all those lines in your smb.conf come from ?

It really should only be:

         netbios name = SHORTHOSTNAME_IN_UPPERCASE
         realm = SMBDOMAIN.DUCK
         server role = active directory domain controller
         dns forwarder = 192.168.1.254
         workgroup = SMBDOMAIN
         idmap_ldb:use rfc2307 = yes
         load printers = No
         printing = bsd
         printcap name = /dev/null
         disable spoolss = Yes

None of the other lines are needed

By default, a Samba AD DC is only used for authentication and it isn't
set up to allow users to login or connect. To allow this on a Debian
computer, you need to install the libpam-winbind, libnss-winbind and
libpam-krb5 packages, you will also have to change /etc/nsswitch, so
that the passwd and group lines look like this:

passwd:         compat winbind
group:          compat winbind

You should then be able to run 'getent passwd AN_AD_USER' and get
something like this:

root@dc4:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

The problem is, by default, you are more likely to see numbers in the
'3000000' range. To use any other numbers, you will have to add
uidNumber attributes to your users and gidNumber attributes to your
groups. All users will have Domain Users as their primary group (ID 100)

Do not use Unix IDs in the 500 range, these are just too much like the
RIDs Windows uses e.g. Administrator has the RID '500' which on a DC is
mapped to the Unix ID '0'

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba